Risk Management

Wednesday July 2, 2008

 Risk Management Process

Narrative: Risks are identified by any project / division / program stakeholder and entered into the Risk Tracker system. The risk
undergoes an initial assessment by the Program / Division / Project Manager. The risk is then assigned to a responsible party to
manage the risk and determine a treatment strategy. The risk is periodically updated and reported on in the program monthly status
report if it meets reporting thresholds.
Benefits of Current Risk Management Process:
•Flexible open source Trac project tracking system has
been tailored to manage risk documentation, risk
management, and risk reporting for the entire program.
•Standard processes across applications, projects and
divisions
•Adheres to GSA SDLC

Define
Establish A
Organization,
Risk
Resources,
Management
Approaches
Strategy
and Schedules Plan /
Program Mangers / Risk Evaluate
Execute Risk
Management Shared Service / Select Report
Avoidance.
Team Risks to Risks
Mitigation,
Manage
Determine Risk Contingency
Categories Track
Parameters, Risks
Division Program Status and
Manger / Process Reporting Perfor
Engineering Manager / Identify m Risk
Project Manager / Risks Assess
Project Lead ment

Project Team /
Stakeholders

Unisys Proprietary Information Page 2

 Risk Management – Risk Identification

• Risk Identification
– Risks are inherent in events that, when triggered, cause problems.
– Risk identification starts with the source of problems.
• Is it a Risk or an Issue?
– Risks are problems caused by future events
– Issues are current problems
– Some problems may have occurred, but may also occur again in the future.
Treat these as risks.
• Source Analysis
– The risk sources may be internal or external to the system.
– Examples of risk sources are:
• External organizations providing information, hardware, software or people.
• New technologies that have not been used.
• Other projects or emergencies that may divert resources from the project.
• Significant events that may alter the scope, resources or time allotted.
• Problem Analysis
– Risks are related to identified threats.
– Any threat to the success of the project or organization is a potential risk.

Unisys Proprietary Information Page 3

 Risk Management – Risk Identification

• Common Risk Checking - A sample list of common known

risks in the software industry:
– Budget, external constraints, politics and resources
– Capacity, documentation, familiarity, robustness, usability of
methods, tools and supporting equipment that will be used in the
system development
– Communication, cooperation, domain knowledge, experience,
technical knowledge and training of the personnel associated with
technical and support work on the project
– Complexity, difficulty, feasibility, novelty, verifiability and volatility of
the system requirements
– Correctness, integrity, maintainability, performance, reliability,
security, testability and usability of the SDLC work products
– Developmental model, formality, manageability, measurability, quality
and traceability of the processes used to satisfy the customer
requirements
– Internal and external threats to and vulnerabilities of the system and
the information it stores, processes and transmits.

Unisys Proprietary Information Page 4

 Risk Management – Risk Identification

• Some Example Risks:

– SmartPay2 Data Providers not on-boarding
If the relationship with the banks that will not be providing the
data to SmartPay2 is not managed, schedule delays will result
due to lack of coordination and implementation.
– SWS Stock/SOP Regulations
Acquisition Management is the supporting organization
responsible for updating regulations. Approximately 400
Stock/SOP regulations exist. If these regulations are not current,
then the solicitations created by SWS can not be used.
– Email Server Integration
The PO Portal’s requirement to send a nightly order summary
email or individual order status email will increase the mail server
load. It is known tha the existing mail server is already running at
maximum capacity and requires periodic intervention by the
Operations Team. If capacity on the email server is not
increased, alert messages will time out and will not be sent.

Unisys Proprietary Information Page 5

 Risk Management – Risk Assessment

• Priority = Impact * Probability

• Impact
– Impact is the consequence of the event if it occurs.
– There are three impact areas: cost, schedule, or performance
– If the above impact areas are not negatively affected, then the event
is not a risk
– Impact is measured on a scale of 1 to 3, 3 being the highest
consequence to the project
• High (3) – Risk that has the potential to prevent project completion or
success by negatively impacting project cost, schedule, or performance.
• Medium (2) – Risk that has the potential to delay project completion or
success by impacting cost, schedule, or performance.
• Low (1) – Risk that has relatively minimal impact on project completion or
success by impacting cost, schedule, or performance.

Unisys Proprietary Information Page 6

 Risk Management – Risk Assessment

• Probability
− Four contributing factors to probability are:
• Immaturity,
• Dependency,
• Complexity, and
• Consistency.
− Probability is measured on a scale of 1 to 3, 3 being the
highest probability of occurrence:
• High (3)- Greater than 70% likelihood of occurrence
• Medium (2) - Between 30% and 70% likelihood of occurrence
• Low (1) - Below 30% likelihood of occurrence.

• Priority = Impact * Probability

• Example
– Medium Impact and High Probably
– Priority = 2 * 3 = 6

Unisys Proprietary Information Page 7

 Risk Management – Risk Classification

High (3) Medium High High

(70-100%) (Priority 3) (Priority 6) (Priority 9)
Probability

Medium (2) Low Medium High

(30-70%) (Priority 2) (Priority 4) (Priority 6)

Low (1) Low Low Medium

(0-30%) (Priority 1) (Priority 2) (Priority 3)

Low (1) Medium (2) High (3)

Impact

Unisys Proprietary Information Page 8

 Risk Management – Risk Treatment Strategy

• Risk Acceptance
– May accept the risk if you have no control or influence
– Actions
• No action
• Contingency Plan, identify the trigger that initiates the plan, the actions
(tasks) and who is responsible

• Risk Avoidance
– Don’t perform the activity that carries the risk

• Risk Mitigation
– Take actions to reduce the impact or probability of the risk
– Identify the actions, who is responsible and the milestone dates

• Risk Transfer
– Transfer the risk to another party

Unisys Proprietary Information Page 9

 Risk Management – Project Plan

• Build your risk mitigation and contingency tasks into

your project plan.
– Mitigation tasks may take the form of:
• Training
• Prototypes
• Requirements and Design Review Sessions
• More through peer reviews
• Performance or stress tests
• Status checks with external organizations providing or receiving
information
– If the Risk is high, include your contingency plans
• Time to revise programs
• Additional testing time and resources

Unisys Proprietary Information Page 10

 Risk Management – Risk Tracker

• Risk Tracker is used to capture and status of all risks.

http://dtrac.fss.gsa.gov/projects/RiskTracker/
– Monthly Status Report (MSR) risks are created by running a report
and cutting/pasting the text into MS Word
– Summary: Risk Title
– Description:
• Describe the future event and consequences if it occurs
• “if <event> occurs, then <bad thing> will happen”
– Assign to: The person that will manage and report on this risk (this
person has to have logged into Risk Tracker at least once to be in the
Assign to list).
– Type: Risk or Issue. We are focusing on risks. Issues may be
captured as well.
– Priority: Priority should be manually calculated from impact and
probability.

Unisys Proprietary Information Page 11

 Risk Management – Risk Tracker

• Mitigation Plan
– Identify the tasks to mitigate the risk and number them.
– For each task, identify who has responsibility for that task and the milestone
dates for accomplishing actions under the tasks.
– As the status of the mitigation tasks changes, but no less than once a
month, update the status of the mitigation task. At the end of the task, put
the date, then the updated status. Do not remove previous task information.
• Contingency Plan
– Identify the Trigger for the contingency plan and the person responsible for
the tasks in the plan. If you know the date when the trigger event is likely to
occur add that. Describe the tasks.
• Avoidance Plan
– This could be a transfer of risk responsibility or a change in approach that
avoids the risk altogether.
– Again, include responsible persons and dates.

Unisys Proprietary Information Page 12

 Risk Management

• Be an active risk manager. Make it real.

– Start now.
– Risk Management is the responsibility of all project managers and team leads.
– DPMs are responsible for making sure risks are being managed and reported.
– Start risk identification and assessment in the planning stage.
– Include risk management on the agenda for your status meetings.
– Review the mitigation and contingency tasks and document the updated status.
– Mark tasks as complete and add new mitigation tasks as appropriate.
– Update the status in Risk Tracker during the meeting or immediately following.

Unisys Proprietary Information Page 13

 RiskTracker

• URL: http://dtrac.fss.gsa.gov/projects/RiskTracker/
• Support/Administration Contacts (add projects, change
custom fields, change permissions, report help, etc…)
– Benjamin Murphy | benjamin.murphy@gsa.gov |
703.888.0722
– Girish Ghaisas | girish.ghaisas@gsa.gov | 703.605.9024
– Dinanath Satam | dinanath.satam@gsa.gov | 703.605.9024

Unisys Proprietary Information Page 14